Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.18.z
Component/s: openshift-controller-manager / controller-manager
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    Controller-manager pod has some routines by default described below:
      controllers:
      - openshift.io/build
      - openshift.io/build-config-change
      - openshift.io/builder-rolebindings
      - openshift.io/builder-serviceaccount
      - -openshift.io/default-rolebindings
      - openshift.io/deployer
      - openshift.io/deployer-rolebindings
      - openshift.io/deployer-serviceaccount
      - openshift.io/deploymentconfig
      - openshift.io/image-import
      - openshift.io/image-puller-rolebindings
      - openshift.io/image-signature-import
      - openshift.io/image-trigger
      - openshift.io/ingress-ip
      - openshift.io/ingress-to-route
      - openshift.io/origin-namespace
      - openshift.io/serviceaccount
      - openshift.io/serviceaccount-pull-secrets
      - openshift.io/templateinstance
      - openshift.io/templateinstancefinalizer
      - openshift.io/unidling

The "openshift.io/image-signature-import" one is making every 1 hour many requests against quay.io to check for signatures that is spamming environments that have a proxy or disconnected without any (from my understanding) valid reason.

This pod does not even have credentials (access to the global pull-secret) so this routine does not make sense to exist. 

Also im not sure what is the actual reason behind this implementation TBH.

I was able to disable this controller by setting the controller-manager operator to unmanaged, scaling the deployment down, editing the "config" configmap by adding a "-" in front of the controller in the json and restarting all the controller-manager pods manually. But this is unsupported procedure

Version-Release number of selected component (if applicable):

How reproducible:

    Simply enable the traceALL log verbosity on the openshift-controller-manager pods and all the requests will appear.

Steps to Reproduce:

    1. Enable TraceAll verbosity on the controller-manager pods
    2. Find the controller-manager pod leader
    3. Check the logs for "quay.io"

Actual results:

    The controller-manager pod is checking signatures from public quay.io

Expected results:

    The controller-mananer should not ?? check anything from public quay.io

Additional info:

    Please check if this feature/functionality is important to at least make an RFE to maybe allow disabling this in a supported way from the Operator CR.

Assignee:: Prabhakar Palepu

Reporter:: Nikolaos Stamatelopoulos

QA Contact:: Jitendar Singh

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2026/02/26 12:16 PM

Updated:: 2026/02/27 8:50 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates